Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the best and most economical method for keeping a continuously maintained reference of historical values?

DrFedtke
Explorer
‎08-19-2015 03:28 AM

Hi all,

We want to compare "today" values in real-time with some aggregatedvalues of yesterday ("day -1"), "day -2", "week mean value", ... etc.

Instead of keeping all the old data (causing volume) to calculate all these reference values anew each day, we want to determine day-related totals, mean values, etc. each day at 1am, and store these values in a kind of "reference table". This allows us to delete old data. Deviations of the real-time monitoring are calculated by referring to that reference table.

What is the best way to realize such a mechanism in Splunk?

Is a lookup table the best choice for keeping the "day(-1)",
... histories? or is there any better method?

Thanks for any tip, link, or sample code.

best, and thanks to all
Caspar

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎08-22-2015 06:15 AM

I second bmacias84's thought, a summary index sounds like exactly what you need. For a very small, isolated set a lookup table would work fine, but what I've found is that as soon as you implement that, you'll realize you also want per hour history, per week, maybe per minute... and it snowballs out of easy manageability.

In addition to his link for the official documentation on Configuring Summary Indexes, I'd recommend an additional resource: Go to the .Conf 2013 session page here and watch the breakout session "Automating Operational Intelligence: Stats and Summary Indexes" by Jesse Trucks. It is a great run-through of creating one.

0 Karma
Reply

somesoni2
Revered Legend
‎08-19-2015 01:37 PM

If the no of aggregated values for each day is very small, you can use lookup table for faster response. You'd have to create a scheduled search to run daily and append yesterday's aggregated to the lookup table.

Reply

bmacias84
Champion
‎08-19-2015 09:43 AM

using Summary indexing with sistats or sitimechart.

http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Configuresummaryindexes

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...